I need to get more understanding about SSO on a web app against Active Directory.

For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdap and so on. But in this case, the user still need to type the login twice.
For example: Authenticate against Active Directory/ISA from php

First I need to know which apache module I need to use and why.
In this article for example there are three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM.
And the thosed one was Apache2:AuthenNTLM

In the question described above the accepted answer was for mod_auth_sspi.

When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces".

I'm very confused about all these names, since I've nerver worked with it.
Can someone clarify it to me? (ldap, kerberos, ntlm, sspi etc)

Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?

2 Answers
2

LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

As far as the modules that can be used to implement these protocols, you included a pretty good list of them.

mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

mod_auth_kerb: This is an Apache module that implements Kerberos.

mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

LDAP and AD are protocols for storing users and organisation data. They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database".

This is for an Intranet, so the user logged in the network can be automatically authenticated in the Intranet. Now I have another method CAS. I'd like to know the relation with the methods provided in the question.
–
TPH.Nov 23 '10 at 20:20